[BUG] Cross-cluster search in proxy mode not using server_name in SNI

[petergvizd-s1]

Describe the bug

Hello,
during setup of cross cluster search in proxy mode I found out issue, that opensearch is not using server_name as part of SNI in TLS Client Hello. Can you please help?

Related component

Search:Remote Search

To Reproduce

1. Create opensearch remote cluster via API

PUT /_cluster/settings
{
  "persistent": {
    "cluster": {
      "remote": {
        "opensearch-test": {
          "mode": "proxy",
          "proxy_address": "opensearch.org:443",
          "server_name": "opensearch.org"
        }
      }
    }
  }
}

2. Start tcpdump capture to file with

tcpdump -i eth0 "dst port 443 and dst opensearch.org and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)" -w /tmp/nosni.pcap

3. Try cross cluster search via API

GET opensearch-test:test_index/_search

4. Stop tcpdump
5. Analyse /tmp/nosni.pcap in Wireshark, there won't be any SNI information presented

Expected behavior

There should be SNI information presented in captured packets same way as during following procedure:

1. Start tcpdump capture to file with

tcpdump -i eth0 "dst port 443 and dst opensearch.org and (tcp[((tcp[12] & 0xf0) >> 2)] = 0x16)" -w /tmp/sni.pcap

2. Test SSL connection with

echo "Q" | openssl s_client -connect opensearch.org:443

4. Stop tcpdump
5. Analyse /tmp/sni.pcap in Wireshark, there will be SNI information presented

Additional Details

Plugins
opensearch-alerting 2.17.1.0
opensearch-anomaly-detection 2.17.1.0
opensearch-asynchronous-search 2.17.1.0
opensearch-cross-cluster-replication 2.17.1.0
opensearch-custom-codecs 2.17.1.0
opensearch-flow-framework 2.17.1.0
opensearch-geospatial 2.17.1.0
opensearch-index-management 2.17.1.0
opensearch-job-scheduler 2.17.1.0
opensearch-knn 2.17.1.0
opensearch-ml 2.17.1.0
opensearch-neural-search 2.17.1.0
opensearch-notifications 2.17.1.0
opensearch-notifications-core 2.17.1.0
opensearch-observability 2.17.1.0
opensearch-performance-analyzer 2.17.1.0
opensearch-reports-scheduler 2.17.1.0
opensearch-security 2.17.1.0
opensearch-security-analytics 2.17.1.0
opensearch-skills 2.17.1.0
opensearch-sql 2.17.1.0
opensearch-system-templates 2.17.1.0
prometheus-exporter 2.17.1.0
query-insights 2.17.1.0
repository-s3 2.17.1

Screenshots
Wireshark example of /tmp/nosni.pcap

Wireshark example of /tmp/sni.pcap

Host/Environment (please complete the following information):

• opensearchproject/opensearch:2.17.1 image running inside EKS

Additional context
N/A

[sandeshkr419]

@cwperks @ankitkala - Do you have some context here?

[cwperks]

Is there a version of OpenSearch where it was setting SNI information when setting up a remote cluster in proxy mode?

[petergvizd-s1]

Hello @cwperks , please what is then purpose of server_name attribute in proxy mode?

[cwperks]

You're right that that is the purpose, but I was wondering if the behavior changed at some point and if so, what version was the change observed in? Since the issue is marked bug, I am trying to determine if this was a regression from previous behavior to pinpoint the change where the behavior had changed.